evolix
/
ansible-roles
18
2
Fork 2
Code Issues 61 Pull Requests 18 Releases 32 Wiki Activity
ansible-roles/evoacme/files/evoacme.sh

268 lines
8.6 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh
#
# evoacme is a shell script to manage Let's Encrypt certificate with
# certbot tool but with a dedicated user (no-root) and from a csr
#
# Author: Victor Laborie <vlaborie@evolix.fr>
# Licence: AGPLv3
#
set -e
set -u
usage() {
echo "Usage: $0 NAME"
echo ""
echo "NAME must be correspond to :"
echo "- a CSR in ${CSR_DIR}/NAME.csr"
echo "- a KEY in ${SSL_KEY_DIR}/NAME.key"
echo ""
echo "If env variable TEST=1, certbot is run in staging mode"
echo "If env variable DRY_RUN=1, certbot is run in dry-run mode"
echo "If env variable CRON=1, no message is output"
echo ""
}
debug() {
[ "${CRON}" != "1" ] && echo "$1"
}
error() {
echo "error: $1" >&2
[ "$1" = "invalid argument(s)" ] && usage
exit 1
}
sed_cert_path_for_apache() {
vhost=$1
vhost_full_path="/etc/apache2/ssl/${vhost}.conf"
cert_path=$2
[ ! -r "${vhost_full_path}" ] || return 0
search="^SSLCertificateFile.*$"
replace="SSLCertificateFile ${cert_path}"
if ! $(grep -qE "${search}" "${vhost_full_path}"); then
[ -w "${vhost_full_path}" ] || error "File ${vhost_full_path} is not writable"
sed -i "s~^${search}~${replace}~" "${vhost_full_path}"
debug "Config in ${vhost_full_path} has been updated"
$(command -v apache2ctl) -t
fi
}
sed_cert_path_for_nginx() {
vhost=$1
vhost_full_path="/etc/nginx/ssl/${vhost}.conf"
cert_path=$2
[ ! -r "${vhost_full_path}" ] || return 0
search="^ssl_certificate[^_].*$"
replace="ssl_certificate ${cert_path};"
if ! $(grep -qE "${search}" "${vhost_full_path}"); then
[ -w "${vhost_full_path}" ] || error "File ${vhost_full_path} is not writable"
sed -i "s~${search}~${replace}~" "${vhost_full_path}"
debug "Config in ${vhost_full_path} has been updated"
$(command -v nginx) -t
fi
}
x509_verify() {
file="$1"
[ -r "$file" ] || error "File ${file} not found"
${OPENSSL_BIN} x509 -noout -modulus -in "$file" >/dev/null
}
csr_verify() {
file="$1"
[ -r "$file" ] || error "File ${file} not found"
${OPENSSL_BIN} req -noout -modulus -in "$file" >/dev/null
}
x509_enddate() {
file="$1"
[ -r "$file" ] || error "File ${file} not found"
${OPENSSL_BIN} x509 -noout -enddate -in "$file"
}
main() {
# Read configuration file, if it exists
[ -r /etc/default/evoacme ] && . /etc/default/evoacme
# Default value for main variables
SSL_KEY_DIR=${SSL_KEY_DIR:-"/etc/ssl/private"}
ACME_DIR=${ACME_DIR:-"/var/lib/letsencrypt"}
CSR_DIR=${CSR_DIR:-"/etc/ssl/requests"}
CRT_DIR=${CRT_DIR:-"/etc/letsencrypt"}
LOG_DIR=${LOG_DIR:-"/var/log/evoacme"}
SSL_MINDAY=${SSL_MINDAY:-"30"}
SELF_SIGNED_DIR=${SELF_SIGNED_DIR:-"/etc/ssl/self-signed"}
SSL_EMAIL=${SSL_EMAIL:-""}
[ -w "${SSL_KEY_DIR}" ] || error "Directory ${SSL_KEY_DIR} is not writable"
[ -w "${ACME_DIR}" ] || error "Directory ${ACME_DIR} is not writable"
[ -w "${CSR_DIR}" ] || error "Directory ${CSR_DIR} is not writable"
[ -w "${CRT_DIR}" ] || error "Directory ${CRT_DIR} is not writable"
[ -w "${LOG_DIR}" ] || error "Directory ${LOG_DIR} is not writable"
[ -w "${SELF_SIGNED_DIR}" ] || error "Directory ${SELF_SIGNED_DIR} is not writable"
CRON=${CRON:-"0"}
TEST=${TEST:-"0"}
DRY_RUN=${DRY_RUN:-"0"}
[ "$1" = "-h" ] || [ "$1" = "--help" ] && usage && exit 0
# check arguments
[ "$#" -eq 1 ] || error "invalid argument(s)"
VHOST=$(basename "$1" .conf)
# check for important programs
OPENSSL_BIN=$(command -v openssl) || error "openssl command not installed"
CERTBOT_BIN=$(command -v certbot) || error "certbot command not installed"
# double check for directories
[ -d "${ACME_DIR}" ] || error "${ACME_DIR} is not a directory"
[ -d "${CSR_DIR}" ] || error "${CSR_DIR} is not a directory"
[ -d "${LOG_DIR}" ] || error "${LOG_DIR} is not a directory"
#### CSR VALIDATION
# verify .csr file
CSR_FILE="${CSR_DIR}/${VHOST}.csr"
debug "Using CSR file: ${CSR_FILE}"
[ -f "${CSR_FILE}" ] || error "${CSR_FILE} absent"
[ -r "${CSR_FILE}" ] || error "${CSR_FILE} is not readable"
csr_verify "${CSR_FILE}" || error "${CSR_FILE} is invalid"
# Hook for evoadmin-web in cluster mode : check master status
evoadmin_state_file="/home/${VHOST}/state"
[ -r "${evoadmin_state_file}" ] \
&& grep -q "STATE=slave" "${evoadmin_state_file}" \
&& debug "We are slave of this evoadmin cluster. Quit!" \
&& exit 0
#### INIT OR RENEW?
LIVE_DIR="${CRT_DIR}/${VHOST}/live"
LIVE_CERT="${LIVE_DIR}/cert.crt"
LIVE_FULLCHAIN="${LIVE_DIR}/fullchain.pem"
LIVE_CHAIN="${LIVE_DIR}/chain.pem"
# If live symlink already exists, it's not our first time...
if [ -h "${LIVE_DIR}" ]; then
# we have a live symlink
# let's see if there is a cert to renew
x509_verify "${LIVE_CERT}" || error "${LIVE_CERT} is invalid"
# Verify if our certificate will expire
crt_end_date=$(x509_enddate "${LIVE_CERT}" | cut -d= -f2)
date_renew=$(date -ud "${crt_end_date} - ${SSL_MINDAY} days" +"%s")
date_today=$(date +'%s')
if [ "${date_today}" -lt "${date_renew}" ]; then
debug "Cert ${LIVE_CERT} expires at ${crt_end_date} => more than ${SSL_MINDAY} days: kthxbye."
exit 0
fi
fi
#### CERTIFICATE CREATION WITH CERTBOT
ITERATION=$(date "+%Y%m%d%H%M%S")
[ -n "${ITERATION}" ] || error "invalid iteration (${ITERATION})"
NEW_DIR="${CRT_DIR}/${VHOST}/${ITERATION}"
[ -d "${NEW_DIR}" ] && error "${NEW_DIR} directory already exists, remove it manually."
mkdir -p "${NEW_DIR}"
chmod -R 0700 "${CRT_DIR}"
chown -R acme: "${CRT_DIR}"
debug "New cert will be created in ${NEW_DIR}"
NEW_CERT="${NEW_DIR}/cert.crt"
NEW_FULLCHAIN="${NEW_DIR}/fullchain.pem"
NEW_CHAIN="${NEW_DIR}/chain.pem"
CERTBOT_MODE=""
[ "${TEST}" = "1" ] && CERTBOT_MODE="${CERTBOT_MODE} --test-cert"
[ "${CRON}" = "1" ] && CERTBOT_MODE="${CERTBOT_MODE} --quiet"
[ "${DRY_RUN}" = "1" ] && CERTBOT_MODE="${CERTBOT_MODE} --dry-run"
CERTBOT_REGISTRATION="--agree-tos"
if [ -n "${SSL_EMAIL}" ]; then
debug "Registering at certbot with ${SSL_EMAIL} as email"
CERTBOT_REGISTRATION="${CERTBOT_REGISTRATION} -m ${SSL_EMAIL}"
else
debug "Registering at certbot without email"
CERTBOT_REGISTRATION="${CERTBOT_REGISTRATION} --register-unsafely-without-email"
fi
# Permissions checks for acme user
sudo -u acme test -r "${CSR_FILE}" || error "File ${CSR_FILE} is not readable by user 'acme'"
sudo -u acme test -w "${NEW_DIR}" || error "Directory ${NEW_DIR} is not writable by user 'acme'"
# create a certificate with certbot
sudo -u acme \
${CERTBOT_BIN} \
certonly \
${CERTBOT_MODE} \
${CERTBOT_REGISTRATION} \
--non-interactive \
--webroot \
--csr "${CSR_FILE}" \
--webroot-path "${ACME_DIR}" \
--cert-path "${NEW_CERT}" \
--fullchain-path "${NEW_FULLCHAIN}" \
--chain-path "${NEW_CHAIN}" \
--logs-dir "$LOG_DIR" \
2>&1 \
| grep -v "certbot.crypto_util"
if [ "${DRY_RUN}" = "1" ]; then
echo "In dry-run mode, we stop here. Bye"
exit 0
fi
# verify if all is right
x509_verify "${NEW_CERT}" || error "${NEW_CERT} is invalid"
x509_verify "${NEW_FULLCHAIN}" || error "${NEW_FULLCHAIN} is invalid"
x509_verify "${NEW_CHAIN}" || error "${NEW_CHAIN} is invalid"
#### CERTIFICATE ACTIVATION
# link dance
if [ -h "${LIVE_DIR}" ]; then
rm "${LIVE_DIR}"
debug "Remove ${LIVE_DIR} link"
fi
ln -s "${NEW_DIR}" "${LIVE_DIR}"
debug "Link ${NEW_DIR} to ${LIVE_DIR}"
# verify final path
x509_verify "${LIVE_CERT}" || error "${LIVE_CERT} is invalid"
# update and reload Apache
command -v apache2ctl > /dev/null && sed_cert_path_for_apache "${VHOST}" "${LIVE_FULLCHAIN}"
if [ -n "$(pidof apache2)" ]; then
if $($(command -v apache2ctl) -t 2>/dev/null); then
debug "Apache detected... reloading"
service apache2 reload
else
error "Apache config is broken, you must fix it !"
fi
fi
# update and reload Nginx
command -v nginx > /dev/null && sed_cert_path_for_nginx "${VHOST}" "${LIVE_FULLCHAIN}"
if [ -n "$(pidof nginx)" ]; then
if $($(command -v nginx) -t 2>/dev/null); then
debug "Nginx detected... reloading"
service nginx reload
else
error "Nginx config is broken, you must fix it !"
fi
fi
}
main "$@"
Reference in New Issue View Git Blame Copy Permalink